?
Solved

How can I kill this Homesearchassistant?

Posted on 2005-03-27
9
Medium Priority
?
1,413 Views
Last Modified: 2012-05-05
I have a PC that is infected with this HOMESEARCASSISTANT crap and I cannot get rid of it.  I have Microsofts AntiSpyware on the computer which is running XP pro so I came up in safe mode and it detects this thing but cannot successfully remove it.  So I saw an entry here for a poor soul who had it on ME and finally got rid of it.  I tried the Adaware in safe mode again it identifies and says it is getting rid of it but restart and it comes right back.

I cannot believe that anyone with any intellegence at all would write something like this!  I tried to use the Hijackthis to get rid of it but I am not sure what all I should delete.

Here is the log:

Logfile of HijackThis v1.98.2
Scan saved at 5:59:16 PM, on 3/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\ipvh32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\ALCWZRD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\ieml.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\TEMP\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\hnbwk.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\hnbwk.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\hnbwk.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\hnbwk.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\hnbwk.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\hnbwk.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {288E8765-988E-2CAD-E2AA-1387368F9CED} - C:\WINNT\ipxg.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [.mscdsr] C:\WINNT\system\lsvchost.exe
O4 - HKLM\..\Run: [VC5MediaPlayer] C:\WINNT\system32\csmrs.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ieml.exe] C:\WINNT\ieml.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Eyetide Launcher.lnk = C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://kubota1.clnt.virtela.net/vdesk/terminal/urxvpn.cab#version=2004,5,7,1
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1102094427921
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://kubota1.clnt.virtela.net/vdesk/terminal/urTermProxy.cab#version=2004,5,7,1
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://kubota1.clnt.virtela.net/vdesk/terminal/urxshost.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://kubota1.clnt.virtela.net/vdesk/terminal/urxhost.cab#version=2004,5,11,1
O17 - HKLM\System\CCS\Services\Tcpip\..\{885C0F3C-BE14-4C94-A5D6-889D26B7DC56}: NameServer = 64.19.9.18,64.19.9.33


Your help will be gratefully appreciated.

Thanks!
0
Comment
Question by:bergm57
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 13640252
First follow the suggestions from this link to get rid of thsoe res:// entries!

res://random.dll Homepage Hijacker Removal Instructions and Help
http://www.pchell.com/support/onlythebest.shtml

OR Give a try to this tool for the Automatic Removal!
http://www.adwareaway.com/
0
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 2000 total points
ID: 13640264
Then give a try to follow these instructions to clean your system!
First get these tools, if you are not having them already,

SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
HSRemove ==> http://www.snapfiles.com/get/hsremove.html

Then before cleaning the system, Turn off your System Restore >> http://www.pchell.com/virus/systemrestore.shtml
Then boot the system under safemdoe, and login as Administrator
Then Run the above tools one by one and clean the system with them
Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
Then Goto C:\Documents and Settings\your username\Local Settings\Temp and delete all files present here
Then Goto C:\Documents and Settings\your username\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
Then Goto C:\Documents and Settings\your username\Cookies, and delete all cookies present here
(ofcourse im assuming that u have already saved all the login passwords for ur websites)
Then Goto C:\Windows\Temp and delete all files present here
Then Reboot back in Normal Mode and check if problems are gone or not, good luck :)
0
 
LVL 1

Expert Comment

by:Everseeker
ID: 13683477
Wow. Give  SheharyaarSaahil a cookie!
That was thorough :)
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 13687003
=)
0
 
LVL 13

Expert Comment

by:gonzal13
ID: 13689308
ShaharyallSaahil is a person that, like I am, in love with computers. It is like having a cigarette habit. Also it is a desire to help people where on gets satisfaction when one suceeds. It really is not the points, just that great satisfaction.

Here is some more data on 'malware' Download them, put the icons on the screen and then go into safe mode to remove them. The reason is that a ;malware' may be resident in memory in 'normal' mode thus it will just reinfect your computer.

MALWARE  PROGRAMS

There can sometimes be a very fine line between a Virus and "spyware", generally Norton AntiVirus (and most other antivirus applications) will not detect normal "spyware" unless it comes in the form of what is referred to as a "Trojan".  This name is taken from the historical "Trojan Horse" where invaders sneaked into the walled city hidden in a wooden horse.  Similarly, a computer Trojan comes packaged and disguised as something else, and sneaks into your system where it can hide unseen doing a variety of things such as stealing passwords and sending them out to some other remote computer, monitoring activity, etc.

AntiVirus applications are often able to detect known Trojans, but not always.  It is very important for this reason to always allow your AntiVirus program to check regularly for updated "definition" files.  These are the "libraries" (for want of a better word) that the program uses to detect known threats, and new definition files will find new viruses.

Spyware is generally less nasty than a Trojan, but can certainly be a security leak.  In normal cases, they are huge annoyances rather than actual "spies".  I suppose that, if there were sub-categories, they could be divided into "Internet Home Page HiJackers" that redirect your internet pages constantly to specific search pages, "Ad Ware" which monitors your internet browsing habits and transmits them to central repositories for marketing purposes, and "Scumware" that sneakily installs programs that masquerade as legitimate programs and do similar things as "Adware", and "Scumware" which just messes up your system for no particular reason.

For the most part, all of these rely on changing or adding registry settings.  For instance, some will install and register files that have very similar names to genuine Windows system files so that a user checking what program files are currently being used won't immediately suspect a rogue process at work.  Some replace a windows system file with a rogue version of their own, and change a registry setting so that their rogue file does something else entirely different.

There is something known as a "Browser Helper Object" or BHO.  Most are legitimate and helpful, such as the integration of Adobe Acrobat Reader which will open up within Internet Explorer if you click on a link to a .PDF file.  Other BHO's are Norton AntiVirus Helper, which adds a "Scan with NAV" to various places and also runs behind the scenes ready to scan incoming email.  Unfortunately, some unscrupulous programs add unwanted BHO's into your system.

To somebody who is neither well acquainted with the names of files and folders in the "system" areas, and who has never had to know what lies in their windows registry, it can be difficult for that person to identify results thrown up by spyware removal tools.

Microsoft is often maligned and accused of creating unwanted, annoying, or "big brother-like" processes in Windows, and for that reason anti-spyware programs will often identify normal Windows registry settings, files, and processes as undesireable.  In most cases, these found items can be safely removed using the anti-spyware tool without suffering any adverse effects because they are not crucial to functionality.  In odd cases, however, allowing an anti-spyware utility to remove something could adversely affect your system.

There is also the risk that, by removing a rogue file that has deliberately replaced a legitimate system file, your system will look for that file and throw up errors when it can't find it.
The above was plagerized from BilDll

Anti spyware tutorial

Spyware, also known as adware or malware, are programs that can cause problems. These include: pop up advertisements on your computer, browser hijacks, search engine hijacks, website redirections, website restrictions, computer problems (like slowdowns, lockdowns, etc.), personal information being logged in without your permission, preventing you access to certain sites or the whole internet, etc. Some spyware are worst than viruses, in my opinion. This section was created to help you detect and remove any suspicious activity that may be going on your computer. Also included is a section on how to prevent future spyware installations. Please read and follow the steps below to help make this process much faster and easier.

Before running any spyware programs, please run an online antivirus scan at one of the below sites to make sure that you don't have a virus. It is recommended to run a scan online because there are some viruses that can disable or make themselves invisible to the antivirus programs you have on your computer. If any viruses are found, write them down and remove them. Before running any of them, first disable System Restore if you have Windows ME/XP. You may use more than one:

http://www.greyknight17.com/spyware.htm


Spyblaster
http://www.javacoolsoftware.com/spywareblaster.html

Spybot Search and Destroy

Spybot - Search & Destroy can detect and remove a multitude of adware files and modules from your computer. Spybot also can clean program and Web-usage tracks from your system, which is especially useful if you share your computer with other users. Modules chosen for removal can be sent directly to the included file shredder, ensuring complete elimination from your system. For advanced users, it allows you to fix registry inconsistencies related to adware and to malicious program installations. The handy online-update feature ensures that Spybot always has the most current and complete listings of adware, dialers, and other uninvited system residents

http://download.com.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button

Ad-Aware

Malware can track your surfing habits, abuse your Internet connection by sending this data to a third party, profile your shopping preferences, hijack your browser start page or pages, alter important system files, and can do this without your knowledge or permission

http://www.lavasoftusa.com

CWShredder

http://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/CWShredder.shtml

http://download.softpedia.com/software/antivirus/CWShredder.exe


Note: Run "CoolWWWSearch.SmartKiller removal tool" BEFORE running CWShredder.

CoolWWWSearch.SmartKiller (v1 and v2) is a new, real ugly variant of CoolWWWSearch. When running, it will close every browser window you use to visit a large list of anti-spyware-sites, and even will close Spybot-S&D and some other anti-spyware applications as well.

http://www.safer-networking.org/files/delcwssk.zip











HiJack This!

HijackThis : A general homepage hijackers detector and remover. Initially based on the article Hijacked!, but expanded with almost a dozen other checks against hijacker tricks. It is continually updated to detect and remove new hijacks. It does not target specific programs/URLs, just the methods used by hijackers to force you onto their sites. As a result, false positives are imminent and unless you are sure what you're doing, you should always consult with knowledgable folks (e.g. the forums) before deleting anything.

http://www.merijn.org/files/hijackthis.zip
http://www.spychecker.com/program/hijackthis.html

Hyjack Tutorial

http://www.merijn.org/htlogtutorial.html

Paste logfile created into the text box here:

http://www.hijackthis.de/en

Remove all noted as "Nasty".

CWshredder
A small utility for removing CoolWebSearch (aka CoolWwwSearch, YouFindAll, White-Pages.ws and a dozen other names). Spybot S&D and Ad-aware tend to forget essential parts of the hijack, so until they update, you can use this to completely remove the hijack. This program is updated to remove the new variants once they come out  

Installing is CWShredder. Unzip the program to your Desktop. Double click on it to open up the program. Click on Fix and let it remove any traces found. When you click Fix, it will ask you to close all browser windows, so make sure you don't have Internet Explorer, Netscape or any other browser running. Click OK. It will scan and remove any files found. If a window pops up asking you if you want to delete a certain file, choose NO.
Next run Ad-aware

 http://www.majorgeeks.com/download4086.html

Spybot Search and destroy

Spybot - Search & Destroy can detect and remove a multitude of adware files and modules from your computer. Spybot also can clean program and Web-usage tracks from your system, which is especially useful if you share your computer with other users.

http://download.com.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button


http://www.safer-networking.org/en/index.html

gonzal13(joe)
0
 
LVL 7

Expert Comment

by:jatcan
ID: 13703297
anybody ever heard of x-clean scanner? It IS a good tool you know, I use it daily,

give this a shot in safe mode.
turn off system restore
fix up the temprorary internet files as SheharyaarSaahil suggested...
run all the other stuff above first: except online virus scanners...then run this:

http://www.spywareguide.com/txt_onlinescan.html

under the CLICK HERE TO SCAN message there is a much smaler click here to scan, do that one, and run it from it's current location, or open it, then click run...click remove on all dangerous program found popups, do not create a restore ponit, do not attempt to run any "uninstall" programs that may appear, simply "X" out of them or ignore them, if you cannot see x-clean scanner, click it's taskbar buton to bring it back into view, then click remove on it, do not reboot when it asks you to, click no to the reboot instead, then witho9ut touching ANY popup windows for uninstalling programs or webpopups displaying ads or "You computer is infected" messages, shutdown the system using the power button on the case, this prevents infected data to be "flushed" to disk on shutdown, therby peventing re-infection, start it back up into safde mode with networking once more, do the online virus scanners just to be sure, I use

http://housecall.trendmicro.com 

and usually follow it up with Panda online scanner:

http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm

After all that reboot to normal mode, if the problem still persists, then you most likely have aq hidden service accessible only from the recovery console, you need to disable, and then delete it.

Good Luck,

John
0
 

Author Comment

by:bergm57
ID: 13778211
Sheharyaar -
That did the trick the first time.  Sorry, I took a while to check back in.  The homesearchassistant is gone.  I just used the adwareaway tool.  The only gotcha was that it killed IE and I had to reload it but of course that was nothing.  Thanks for the advice!

-bergm57
0
 
LVL 7

Expert Comment

by:jatcan
ID: 13778711
Most likely it did not kill IE but rather corrupted the winsock entry's in the registry...did you try downloading winsockxpfix.exe?

You should have it handy in case this re-occurs, a few clicks to repair winsock damage is worth the 10 second download time:-)

http://www.iup.edu/house/resnet/WinsockXPFix.exe

Glad you got your problems all worked out though.

Cheers,

J
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 13780390
glad its all working now! :)
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PREFACE The purpose of this guide is to explain how to manually move a SEP client to a different client group by performing steps on the client-side. These steps may prove particularly useful because they allow the client to move after it has alrea…
Have you ever tried to find someone you know on Facebook and searched to find more than one result with the same picture? Perhaps someone you know has told you that they have a 'facebook stalker' or someone who is 'posing as them' online and ta…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question